Security & Compliance: SSO, RBAC, Audit, mTLS, Key Management, SBOM

[IgnacioPro]

Lumo needs SSO/OIDC/SAML and RBAC for multi-tenant/org identity, audit trails and mTLS for API/agent communication, secrets/key rotation, envelope encryption for Postgres/Redis, and complete SBOM/image/binary signing coverage.

Paths to start:

• Identity/auth (SSO/OIDC/SAML): see current API users/keys; add OIDC/JWT plumbing alongside API key flows (internal/api/auth.go, deployment configs)
• RBAC: org/project/resource model, role templates (admin/auditor/operator) (internal/api/auth.go/internal/database/roles.go)
• Audit: inspect/remediate/fix flows (internal/doctor/, internal/remediation/, internal/audit/ if present; otherwise, add)
• mTLS: agent and API server configs; see deployment/k8s manifests, deploy-saas, agent CLI
• Key rotation: centralize API keys in DB, add expiry and rotation; inspection in internal/api/auth.go, key ingestion in docs
• SBOM/signing: GoReleaser, container build GH Actions, validate with trivy, cosign pipelines

Test coverage: add SAST/gitleaks/semgrep run on all critical flows.

References to update: internal/api/auth.go, deployments/kubernetes/kind/deploy-saas, release pipeline.